SMTP in Microsoft 365: The Direct Send Risk You Can’t Ignore

Email is still the number one attack vector, and recently a new weakness in Microsoft 365 has been drawing attention. It’s tied to an often-overlooked feature called Direct Send — a built-in way for devices and apps to send email without full authentication. While Direct Send was designed for convenience, attackers are now using it to bypass defenses and make phishing emails look like they came from inside your company.

What Is Direct Send?

Direct Send lets things like copiers, scanners, or old applications send email through Microsoft 365 without logging in with a username and password. Instead, it uses a trusted connection over SMTP. The problem is that when Direct Send is left wide open, it can allow anyone on the internet to push messages through your Microsoft 365 tenant — without strong checks like SPF, DKIM, or DMARC.

How Attackers Are Exploiting It

Here’s what security researchers have been seeing over the last few months:

• Internal-looking phishing emails: Attackers send malicious messages through Direct Send so they appear to come from your own domain. Employees trust them more than an obvious external email.
• Spoofing: Since authentication checks aren’t enforced here, attackers can fake “From” addresses with ease.
• Stealth at scale: Because the traffic comes through Microsoft’s infrastructure, many security gateways treat it as safe — letting the bad emails straight in.

Some organizations have already reported dozens of compromises tied back to this exact attack method.

Why It’s Dangerous

• Your domain reputation can be damaged if attackers abuse your tenant.
• Internal trust is weaponized — staff are more likely to click links or open files if they believe an email came from a coworker.
• Security layers that normally stop spoofing may not catch Direct Send abuse.
• Real-world attacks can cripple operations in days.

What You Should Do

If you use Microsoft 365, here are some practical steps:

1. Turn off Direct Send if you don’t need it. For most modern apps and devices, authenticated SMTP or Microsoft Graph API are safer choices.
2. If you must use it, restrict by IP address so only known devices can connect.
3. Tighten email authentication: Keep SPF, DKIM, and DMARC properly configured for your domains.
4. Monitor internal-looking messages: Flag or quarantine emails that look internal but actually originate outside your network.

Alert on unusual relay activity: If external systems are sending through your tenant, you want to know fast.

The Bottom Line

Direct Send is one of those features that made sense years ago but is now being turned against us. If your organization isn’t actively using it, disable it. If you are, lock it down and monitor closely. Security in Microsoft 365 is a shared responsibility: Microsoft provides the tools, but it’s up to each organization to configure them securely.

Email is still the #1 way mid-market businesses get breached — and Microsoft 365 misconfigurations like Direct Send make it even easier. Secure Microsoft 365 the Right Way — Start with a Free Security Assessment.